from the go-go-godzilla dept

It seems that everyone is giving EA and Maxis quite a bit of grief over the SimCity debacle. The game's launch was, um, not great. The backlash against the game's producers was worse, all the more so once the lying began. But late last week, new evidence was uncovered that suggests perhaps we've all been a little bit unfair to EA and Maxis. What if I told you that the always-online game architecture enabled you to be what all of us have secretly wanted to be since we were very, very little children?

Just so we're clear, this is only possible because of the EA always-online requirement.

It's still awesome because this hack is only as destructive as it is because of EA's decision to make the game always-on. If the game hadn't had always-on DRM then this hack wouldn't be half as devastating as it is. Having EA delete these kind of topics from their forums is great damage control but don't be surprised if there's another furor when people start raging on the forums when some hacker decides to go through and Godzilla everyone's town. Enjoy.

Enjoy indeed, as long as that enjoyment happens outside of EA's forums. As noted above, the company is enforcing their TOS rules on their forums and deleting all topics relating to these kinds of hacks. Why? Well, because when a dingo is chewing on your arm, the best defense is to place your noggin lovingly into some sand to make it all just disappear. Or, if that doesn't work, you could always just apologize for what is becoming the greatest video game debacle this side of a Duke Nukem game, but I'm not holding my breath.

Re:

I don't know what it is about destroying other people's work that sounds like so much FUN. If this destruction couldn't be undone, it might actually be the first justification of always-online play and data storage that I would agree as being significant to everyone's gameplay.

Re: Re:

No it would point to people rather having offline games files that nobody can hack into or change in any way, have you ever played a game? Seriously either you have never ever played a game or you are an EA exec trying unsuccessfully to con people into thinking EA has better server side security than people have on their own computers, you do know what security is don't you?

The rate this is going i would not be surprised to hear that hackers have managed to setup a full server to service simcity and are making money from all the lovely loot they are selling to people that don't realise , or even do realize, that they are not logged onto official EA servers.

Re: Re: Re:

I... really want to think this is not a reply that is correctly place instead of a spectacular example of a failure in reading comprehension.

In case of the latter : Destroying other people’s cities on the servers for them to log back into and try to fix the mess, would be the first non-trivial feature of the new SimCity that would make use of on-line play. Yes this is a hypothetical thing right now, downloading other people’s cities as described in the article is an unintended consequence of how EA set up the game (ie bad security design) and does not actually affect other players right now, but that mistake inspires people to imagine the greatest possible feature they could have included in the SimCity reboot.

Re: Re: Re:

And I don't see how what I first said can be taken as approving of EA's security practices,this whole thing being made possible by completely horrid security, but Origin apparently allows people to run malicious code on your computer by way of *drumroll*... unprotected link handler execution. Classics never die apparently.

Re: Re: Re:

Re: Re: Re: Re:

Although I do like a good spreadsheet, I admittedly can't keep up with people that tap phone lines to win.

Spoken like a true Eve Online player...

If you ever need to find someone truly afraid of shadows, all you need to do is find someone who's played the game within a player corporation (not run by themselves.) I played for a year and a half within an NPC/PC owned by myself, and 1 year in a player run corporation, and during that time in the player run corporation, I had the most fun and yet the least fun playing the game. Spies are everywhere! Even my best friends in the game were kept at an arms distance. I can't believe how paranoid I got in that game...gave it up because the drama was getting to me.

Re: Re:

I disagree that the linked article actually provides support for the notion that these changes can affect the server.

The first quote you cite appears to be the simply be the author's analysis (which appears to be incorrect).

The second quote you cite is referring to a different situation where client-side files can affect server-side changes. However, these were players affecting things within their own city (such as city-size limits, etc). I imagine these things were always client enforced, and changing the client's rules had no effect on the server.

The linked article also notes:

"...however the modder notes that he turned off synching". This implies to me that an attack that caused the local-changes to be synched has not yet been performed. The quote from the modder further supports this:

It sounds like there has not yet been an attack where someone changes another person's city and successfully syncs it. The modder has noted that more work would remain before such an attack would be successful (spoofing the owner's ID). I'm not arguing that such an attack is impossible, but until it occurs this is a total non-event.

Re: Re: Re: Re:

I will note that I haven't disputed their word or their video evidence, though. In fact, I quoted the modder himself to note that server-syncing of these toys hasn't been performed.

The video evidence (which I don't dispute) clearly shows the modder destroy a local copy of his friends' cities. What I dispute is the notion that this permanently destroys the friends' cities. In fact, the youtube video that this sources from says quite clearly:

Re: Re: Re: Re: Re:

That only means he gained access and turned off syncing as a courtesy to those whose games he hacked. Imagine if you will, if syncing was turned on while he hacked an account....the video shows it is possible to access another person's city.

Re: Re: Re: Re: Re:

Now tell me,

Do you seriously think EA and Maxis, after all this, has done the necessary server-side legwork to prevent players from uploading malicious save files to their server?

The exploit that caused this, if you read into it, was just accepting that the client was exactly who it claimed to be. That is kindergarten level programming that shouldn't have left QA, much less be shipped in an actual game.

I somehow doubt your supposition that just because the modder CHOSE to not ruin other people's cities because he values the hard work and fun of other players somehow means that he couldn't. Especially when we have three-stooges levels of coding practices at work inside Maxis and EA.

Re: Re: Re: Re:

I consider the source to be the modder. His words, in comments on the youtube video:

"IMPORTANT NOTE: I have NOT enabled syncing of data for this. All cities you see in this video remain UNHARMED - nothing got synced to server."

and

"There is still no city syncing at this most basic level, so you can wreak havoc on a friend's city, quit out, log back in, and it's back the way it was - great fun! I am worried about people that go deeper into the code and start spoofing the owner ID's of cities and start doing this maliciously though."http://www.youtube.com/watch?feature=player_embedded&v=ROy6VE5ZsZw

I do agree that the linked article makes the claim that this means you can destroy the cities permanently. I disagree with that claim, I've provided my evidence to back this up.

Re: Re:

Re:

"Well, you can damage a local copy of someone's city that gets over-written when you connect back to the server..."

This is my understanding also. Many of the articles I've seen reporting this event suggest the person simply didn't sync his changes to the server; from my reading it is that the person can't sync his changes to the server.

The fact that someone is able to do this locally is a non-event. If someone is able to do this in a way that persists to the servers, well, that's more interesting.

As much as I hate EA, and as much as the SimCity launch was a failure, I don't understand why this particular story is getting widespread attention.

Re: Re:

suggest the person simply didn't sync his changes to the server; from my reading it is that the person can't sync his changes to the server.

It's unclear which is the case. However, which it is can be thought of as a security competence question - wether or not EA can design and build a robust server infrastructure to prevent PersonA making changes to PersonB's stuff. Let's take a quick look at EA's past competence level in regards to SimCity.

1) Competence in allocating enough server resources to handle load?
Fail.
2) Competence in adjusting to unforseen load?
Fail.
3) Competence in designing software to meet their own goals?
Fail (fudging population/simulation of individual agents).
Fail (dumb as a box of dull rocks pathing AI).
Fail (secure software, ie left developer mode in, leading to this possibility).
4) Overall competence in admitting when they were wrong so they could salvage the situation?
Fail.

Since they fail at so much, what makes you think their server design/infrastructure is competently designed to disallow Godzilla-ing someone else's city?

Re: Re: Re:

So, my understanding from reading the sources is that what we've seen so far is a local change that hasn't been sync'd to the server.

I agree that it's totally possible for someone to develop an attack that breaks EA's servers. I definitely don't think EA's servers are perfectly protected and it's very possible that someone will be able to break their protection.

As soon as someone does break their protection, I think it's a very news-worthy story. Until they do, I read this as an "here's something interesting you can do to your friends' cities if you're bored, and have the misfortune of having purchased SimCity".

Re:

RIAA and MPAA has lost so much funding. They are barely able to deliver the money to politicians with the funding cuts they have recieved! No money, no laws. TAFTA is still far too far away in the distance to give any meaning lobbying for.

The most basic level of security a multi-user environment must have is separation of privileges. This path has been beaten over, and over, and over...and over again. To fail at this shows complete lack of either knowledge or competence.

Re:

I doubt you'll see anymore Prenda articles until the 29th. That's when the fireworks are scheduled, anyway.

Personally, I never tire of the delicious egg on EA's face. I've had a bone to pick with them for about 13 years, ever since they turned the very-promising "Need for Speed: Motor City" into "Motor City Online" and made it online-only when a large percentage of internet users only had unreliable dial-up connections.

Re:

Three! I only read 2, damn it.

No it's not enough. EA sells this shit and their stock goes up. Unreal.

This may not be precisely up TD's alley, but there's a real problem of customers not understanding that EA's business model of shit = profit is working wonderfully. Disposable consumers and, um, "liquidating" title loyalty.

EA's CEO just stepped down. LAWL.

Re: EA's CEO just stepped down. LAWL.

Just read that on Engadget.
Sadly they're just going to find another Sock Puppet for their board, the Chairman standing in for CEO right now is Larry Probst(the CEO before Riccitiello). Although slightly entertaining to see the issue they downplayed is actually bigger than they would admit.

Until the board is done bashing their collective face into their finely crafted meeting room table, don't expect any changes. Boards select these CEOs then fight them to keep the board's interests as the primary concern, which happens to be stocks and not the health of the company.

i dont suppose there's any chance of someone committing 'Duke Nukem' on EA, is there? now that would ALMOST be worth all the grief, the lies and the bullshit that they have put out up til now (but i doubt have stopped putting out. there has to be more on the way. after all, once you start lying, they just get bigger, broader and downright worse as time goes on!)

As one EA forum member points out, SimCity's sim-people use the same sort of AI-handling "agent system" that traffic and sewage and power uses. The results are not pretty.

The problem is that, just as power can sometimes take a ridiculously long time to fill the entire map (because the "power agents" just randomly move about with no sense) traffic and workers can do the same thing. Workers leave their homes as "people agents." These agents go to the nearest open job, not caring at all where they worked yesterday. They fill the job, and the next worker goes to the next building and fills that job, and so it goes until all the jobs are "filled." So, when you have all your "worker" sims leaving their houses for work in the morning, they all cluster together like some kind of "tourist pack" until they have all been sucked into "jobs." They don't seem to care if the job is Commercial or Industrial, only that it's a job.

"Scholars" are handled exactly the same way. As are school busses and mass-transit agents. This is why you see the "trains" of busses roaming through your city, and why entire sections of town may never see a school bus, despite having plenty of stops... Once all the busses are full, they return to school and stay there until school is done for the day.

Now, here is where it gets really good... In the evening, when work and school lets out, they all leave and proceed to the absolute closest "open" house. They don't "own" their houses. The "people" you see are actually just mindless agents (much like the utilities agents, as I said earlier) making the whole idea of "being able to follow a 'Sim' through their entire day" utterly POINTLESS!!"

-Instead of returning to their own homes, individual Sims would drive into the nearest home available.

-Instead of driving on empty roads, Sims would take the shortest path available, even if that led straight into congestion.

Re:

"The problem is that, just as power can sometimes take a ridiculously long time to fill the entire map (because the "power agents" just randomly move about with no sense) traffic and workers can do the same thing. Workers leave their homes as "people agents." These agents go to the nearest open job, not caring at all where they worked yesterday."

Give me the days when all you had to worry about were budget, traffic problems, pollution, population, crime, and disasters. That is all I request..the simplicity of the original with the updated graphics of today.

Re:

I didn't expect this from Techdirt

To use an analogy, what we have here is essentially someone downloading saves of other players and doing stuff to them locally. That's absolutely it.

It might be that someone finds a way to get the server to accept the changed save by spoofing the ownerid but considering that the trick has been in the open for two or so days now and there is no news whatsoever of that happening, it will, at the very least be non trivial to do so.

This is about damaging local copies of cities

It's like photoshopping a moustache on a photograph of someone, funny but not harmful in any way. Nobody has damaged data on a server and nobody has any evidence that it's possible. Wish OP would fix the article.

This is about damaging local copies of cities

It's like photoshopping a moustache on a photograph of someone, funny but not harmful in any way. Nobody has damaged data on a server and nobody has any evidence that it's possible. Wish OP would fix the article.

This is somewhat misleading

This is taking place on a local version of the map, the one you load up when you view some one else's city. A bug where you could place parks while viewing some one else's city has been in since launch.

This changes are not and currently cannot be synced with the server, the modder was only talking about being worried that some one would be able to spoof other player ID's down the road and cause trouble. We don't know if that can be done and we don't know if there are server side checks that would prevent it if you could.

In short I'm on the hate EA train as much as every one else but there is plenty of real issues that we don't have to start making crap up.

What's happened here is some messing with the debug mode has allowed some one to mess around with the local data uses to allow viewing of other peoples cities in a region. This has nothing to do with the DRM and currently, and is frankly unlikely too, lead to being able to damage other peoples saves.

I'd expect Tech Dirt to do better than this, even reading the youtube description rather than the sensationalist blog should make all the above perfectly clear.

IMPORTANT NOTE: I have NOT enabled syncing of data for this. All cities you see in this video remain UNHARMED - nothing got synced to server. I would not condone any action which could actually harm another player's city without permission!

So, this was done by editing the SimCity packages, tweaking some code, and getting the game to think that, when I visited a random person's city in a random region, I WASN'T in observer mode, and force enabling of edit mode so that I had full access to the city as if it was my own. There is still no city syncing at this most basic level, so you can wreak havoc on a friend's city, quit out, log back in, and it's back the way it was - great fun! I am worried about people that go deeper into the code and start spoofing the owner ID's of cities and start doing this maliciously though. Hopefully there are server side safeties on this... hmmm.